How can I allow multiple authentication types in Apache?

Question

I have an Apache server using mod_auth_openidc. For one specific directory (the API), I'd like to allow bearer token authentication first with fallback to OpenID. Is that something I can accomplish with an .htaccess file in the API directory?

Desired behavior: - If a request is made in the API directory: - If an "Authorization: Bearer" header is set: - use bearer authentication - Otherwise: - use OpenID Connect - If a request is made in any other directory: - use OpenID Connect

Answer 1

You can use AuthType auth-openidc see: https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect

Answer 2

The below can help instruct apache 2.4 to use the proper AuthType via a <LOCATION> block. I have not tested it in a .htaccess file, but the concept should work there too.

This "IF/ELSE" config has been solid so far. Any other apache configuration resulted in mixed results when api calls were nested within the web apps path.

This IF statement checks for a Authorization: Bearer HTTP header in the request and routes to the proper AuthType as processed. Add in your Require claim directives as recommended.

<Location "/APP">
    <If "%{HTTP:Authorization} =~ m#^Bearer#i">
      AuthType oauth20
      Require claim aud:xxx
    </If>
    <Else>
      AuthType openid-connect
      Require claim client_id:xxx
    </Else>
    Require valid-user
</Location>

Also make sure your jwks endpoint directive is set on top of your original openidc provider configuration.

OIDCOAuthVerifyJwksUri https://{DOMAIN}/.well-known/jwks.json